Exactly like the title said, How can I apply local group policy to multiple computers? Around 500 PCs (I think) I understand the domain group policy can push down the policy but for my scenario here, The computers are NOT suppose to joined to any domains till this local Computer Policy is in place. So in terms of the PC whether it joins a domain or not, it will always have the Policy been applied.

The workstation are not going to join any domain, I need to push this Local Group Policy or Local Computer Policy to be exact to alot of PCs, but can I import or export this policy? this "Copy the contents of c:\windows\system32\grouppolicy" doesn't seem to work, anyone can enlighten me here?
–
AmosJul 22 '13 at 2:12

1

Sorry, but that sounds crazy. You're going to go to 500 separate PC's, log on to each one with a local account, and apply these settings? That's pretty much exactly why active directory was invented...
–
Mark Henderson♦Jul 22 '13 at 2:17

The answer is using a domain... doing it manually like you are asking is a management nightmare. There is no reason I can think of why you would want to do this manually.
–
CheekaleakJul 22 '13 at 2:20

Yes i know it's crazy when I have around 500 PCs in different levels in the building, Bear with me, This is quite a special request from a client, I'm planning to let all 500 PCs join a domain, then add in a scheduler task to run a remote scrip to apply this Local Computer Policy, so It will have Local Policy Even if it quits the domain, Anyway Thanks! I found my answer
–
AmosJul 22 '13 at 2:31

1 Answer
1

Within this folder, there are two folders – “machine” and “user”. Copy these to folders to the %systemroot%\system32\grouppolicy – folder on the target machine. All it needs now is a reboot or a “gpupdate /force”.

For security settings:

1.) Open MMC and add the Snapin “Security Templates”.

2.) Create your own customized template and save it as an “*inf” file.

3.) Copy the file to the target machine and import it via command line tool “secedit”:

secedit /configure /db %temp%\temp.sdb /cfg <'yourGP'>.inf

Out of curiosity - why aren't these going on the domain? Any changes you will need to make will require doing this to all the PCs every time. I highly discourage using local GPOs on this amount of machines.

Not to mention that if they aren't in a domain, the local administrator can just undo anything you do...
–
Michael Hampton♦Jul 22 '13 at 2:27

there's going to be different Policy Local Computer Local like Non-Administrator and such, This solution i saw it a couple of times actually the gpupdate /force is very important, as the version number in the file must be larger therefore the /force is very very important. I only did the gpupdate that's why the policy didn't get applied. hope this is helpful to someone in future
–
AmosJul 22 '13 at 2:32

2

@user2589621 That's ridiculous. If you apply the group policy in the domain, then the computers will get it automatically when you join them. Which will save you about 500 trips to each PC...
–
Michael Hampton♦Jul 22 '13 at 2:38

1

@Amos if they have the ability to leave the domain, they will have the ability to remove the local GPO - so this all this effort is not worth your time if that's the case. Without knowing exactly what you're trying to accomplish with the local GPO, no one can tell you the best course of action.
–
coleJul 22 '13 at 2:46

2

@Amos No offense intended, but you're in way over your head. Pull back now and find a consultant or someone who really knows this stuff to help you.
–
Chris S♦Jul 22 '13 at 4:01